Add 'no-sync' state option to prevent state transition messages for states

created by this rule from appearing on the pfsync(4) interface. e.g.

pass in proto tcp to self flags S/SA keep state (no-sync)

ok cedric@ henning@ dhartmei@

2 files changed, 29 insertions, 4 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 54a36cf53ef..de5ace0dc16 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.420 2003/11/06 15:16:50 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.421 2003/11/08 00:45:34 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -112,7 +112,7 @@ struct node_icmp {
 	struct node_icmp	*tail;
 };
 
-enum	{ PF_STATE_OPT_MAX=0, PF_STATE_OPT_TIMEOUT=1 };
+enum	{ PF_STATE_OPT_MAX=0, PF_STATE_OPT_NOSYNC=1, PF_STATE_OPT_TIMEOUT=2 };
 struct node_state_opt {
 	int			 type;
 	union {
@@ -367,7 +367,7 @@ typedef struct {
 %token	NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
 %token	REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
 %token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
-%token	REQUIREORDER SYNPROXY FINGERPRINTS
+%token	REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC
 %token	ANTISPOOF FOR
 %token	BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT
 %token	ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
@@ -1408,6 +1408,14 @@ pfrule		: action dir logquick interface route af proto fromto
 					}
 					r.max_states = o->data.max_states;
 					break;
+				case PF_STATE_OPT_NOSYNC:
+					if (r.rule_flag & PFRULE_NOSYNC) {
+						yyerror("state option 'sync' "
+						    "multiple definitions");
+						YYERROR;
+					}
+					r.rule_flag |= PFRULE_NOSYNC;
+					break;
 				case PF_STATE_OPT_TIMEOUT:
 					if (r.timeout[o->data.timeout.number]) {
 						yyerror("state timeout %s "
@@ -2398,6 +2406,14 @@ state_opt_item	: MAXIMUM number		{
 			$$->next = NULL;
 			$$->tail = $$;
 		}
+		| NOSYNC				{
+			$$ = calloc(1, sizeof(struct node_state_opt));
+			if ($$ == NULL)
+				err(1, "state_opt_item: calloc");
+			$$->type = PF_STATE_OPT_NOSYNC;
+			$$->next = NULL;
+			$$->tail = $$;
+		}
 		| STRING number			{
 			int	i;
 
@@ -3950,6 +3966,7 @@ lookup(char *s)
 		{ "no",			NO},
 		{ "no-df",		NODF},
 		{ "no-route",		NOROUTE},
+		{ "no-sync",		NOSYNC},
 		{ "on",			ON},
 		{ "optimization",	OPTIMIZATION},
 		{ "os",			OS},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index ae4aec5a168..18adf05bfa8 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.179 2003/11/06 15:18:12 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.180 2003/11/08 00:45:34 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -704,6 +704,8 @@ print_rule(struct pf_rule *r, int verbose)
 	opts = 0;
 	if (r->max_states)
 		opts = 1;
+	if (r->rule_flag & PFRULE_NOSYNC)
+		opts = 1;
 	for (i = 0; !opts && i < PFTM_MAX; ++i)
 		if (r->timeout[i])
 			opts = 1;
@@ -713,6 +715,12 @@ print_rule(struct pf_rule *r, int verbose)
 			printf("max %u", r->max_states);
 			opts = 0;
 		}
+		if (r->rule_flag & PFRULE_NOSYNC) {
+			if (!opts)
+				printf(", ");
+			printf("no-sync");
+			opts = 0;
+		}
 		for (i = 0; i < PFTM_MAX; ++i)
 			if (r->timeout[i]) {
 				if (!opts)